Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
31323334353637383940
Authentication and Authorization
Services such as the login window and Apple Filing Protocol (AFP) service request user
authentication from Open Directory. Authentication is part of the process by which a
service determines whether it should grant a user access to a resource. Usually this
process also requires authorization.
Authentication proves a users identity, and authorization determines what the
authenticated user is permitted to do. A user typically authenticates by providing
a valid name and password. A service can then authorize the authenticated user to
access specic resources. For example, le service authorizes full access to folders
and les that an authenticated user owns.
You experience authentication and authorization when you use a credit card. The
merchant authenticates you by comparing your signature on the sales slip to the
signature on your credit card. Then the merchant submits your authorized credit
card account number to the bank, which authorizes payment based on your account
balance and credit limit.
Open Directory authenticates user accounts, and service access control lists (SACLs)
authorize use of services. If Open Directory authenticates you, the SACL for login
window determines whether you can log in, then the SACL for AFP service determines
whether you can connect for le service, and so on.
Some services also determine whether a user is authorized to access specic resources.
This authorization can require retrieving other user account information from the
directory domain. For example, AFP service needs the user ID and group membership
information to determine which folders and les the user is authorized to read from
and write to.
About Open Directory Passwords
When a users account has a password type of Open Directory, the user can be
authenticated by Kerberos or the Open Directory Password Server. Kerberos is a
network authentication system that uses credentials issued by a trusted server. Open
Directory Password Server supports the traditional password authentication methods
that some clients of network services require.
Kerberos and Open Directory Password Server do not store the password in the users
account. Instead, they store passwords in secure databases apart from the directory
domain, and passwords can never be read. Passwords can only be set and veried.
Malicious users might attempt to log in over the network hoping to gain access to
Kerberos and Open Directory Password Server. Open Directory logs can alert you
to unsuccessful login attempts. (See Viewing Open Directory Status and Logs on
page 181.)
38 Chapter 3 Open Directory Authentication